Developed multi-level security mechanisms for a CIA-funded project in
research and development of distributed information retrieval
systems. 1984-1987
Responsible for security issues in a range of distributed computing
environments and networks over many years. 1988-2006
In looking for a tractable design methodology for secure systems, I came to
realize that none existed. Although much is understood about many aspects of
computer security, little attention has been given to the the issue of how to
integrate this knowledge into a design process; of how to generate and maintain
a security architecture in a systematic, predictable manner. 1988-1990
Developed a new security design methodology (Ph.D. research), based on
object-oriented modeling of the application and environment, with information
flow analysis to automatically discover security policy violations. Safeguards
can then be modeled and added to the flow analysis to readily assess their
effects. 1990-1993
A Note on Security and Safety
Security and safety are essentially the same problem, differing
only in the "policy" that must be enforced. The "policy" is like the
requirements specification for any system, specifying what the system is
supposed to do. However, with security and safety, the requirements
specification can not stop there. The system must not only (1) do what it is
supposed to do, but must also (2) NEVER do what it is NOT supposed to do.
The latter, #2, is what makes the design of secure or safe systems so tricky.
It is essentially a negative requirements specification with a huge (if
not infinite) domain.